A new intelligence leak claims that the US is conducting large scale surveillance of EU governments. Apparently the NSA has bugged EU offices in the US and in Brussels, intercepting hundreds of millions of communications. Embarrassing for the US. One German politician has likened it to the days of the Cold War.

The same source, former US intelligence contractor Edward Snowden, has previously leaked information about a US government program, PRISM, through which the NSA gains access to huge amounts of internet data including emails, chat rooms and video.

Public outcry about PRISM was likely a factor in our federal government’s recent decision not to implement new data retention laws. The proposed laws would have required telecommunications data to be stored for two years in case needed by law enforcement or security agencies.

Law enforcement and security agencies still have the power to conduct surveillance and obtain information from businesses. But currently businesses have relative freedom over the length of time for which they store customer data.

Here are some pointers if your business receives a request for information from the government.

  • As soon as you receive a request, make sure you stop any normal data purge processes and preserve all potentially relevant data.
  • Check that the agency in question has the power to obtain the kind of material it is requesting under relevant legislation.
  • Sometimes an agency might ask you to provide information informally or voluntarily. A formal statutory request for information will normally trump privacy obligations to your customers. An informal request may not.
  • Make sure you understand exactly what information is requested. Insufficient production might expose you to criminal penalties. Over-production might result in non-compliance with your privacy obligations.